[2881] in WWW Security List Archive
RE: Security aspects of Microsoft FrontPage server extensions?
daemon@ATHENA.MIT.EDU (Gary F. Ellison)
Tue Sep 3 14:48:12 1996
Date: Tue, 3 Sep 1996 09:20:42 -0400
From: "Gary F. Ellison" <gary.f.ellison@att.com>
To: Michael Mathieu <mikemat@microsoft.com>
Cc: "'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
In-Reply-To: <c=US%a=_%p=msft%l=RED-86-MSG-960830194124Z-36803@mail.microsoft.com>
Reply-To: gary.f.ellison@att.com
Errors-To: owner-www-security@ns2.rutgers.edu
>>>>> "mm" == Michael Mathieu <mikemat@microsoft.com> writes:
>> Several of these things could be fixed by doing some things like
>> not necessarily following MS's installation instructions to the
>> letter. Another would be to put your HTTP server in a chroot()'ed
>> environment. Raise your hands if you think this is a pain in the
>> !@#$!.
>>
mm> Scott, I admire your industriousness here.;-) This is indeed a
mm> laborious task, and fortunately for everyone, we've created a
mm> special kit just for ISPs or other people running into this
mm> situation. This is available free just for the asking (email
mm> fptech@microsoft.com). We distributed this in hard copy form to
mm> several hundred ISPs at ISPCON the first week of August.
Frankly setting up a chroot environment may be a bit tedious at first
but well worth it in the long run. However it is a total waste of time
if you allow FrontPage to have write permission to you server
configuration files since a rogue could easily turn off the "chroot"
directive. One the alternative would be to chroot the daemon within
the /etc/rc* mechanism and not the httpd configuration.
In fact, the whole notion of a the web server having the
same uid as the owner of the daemon configuration files and the
content gives me the creeps and is just asking for a USDOJ spray
painting incident.
--
mailto:gary.f.ellison@att.com http://www.att.com/homes/gary_ellison/
"Have you never wanted to look beyond the clouds and the stars? Or to know
what causes the trees to bud, or what changes a darkness into light? But if
you talk like that, people call you crazy."
- Frankenstein
